Nuclear Pack exploit kit introduces anti-honeyclient crawling feature

While profiling yet another malware and exploits serving malicious campaign, security researchers from ESET have stumbled upon a new feature introduced in the Nuclear Pack web malware exploitation kit.

For years, the security community has been developing efficient ways to evaluate the maliciousness of as many web sites as possible, by crawling them for malicious content in an automated fashion. Thanks to the rise of botnets as an exploitation platform, today's cybercriminals are largely relying on compromised legitimate infrastructure as a delivery vehicle for their malicious content, compared to using purely malicious sites as an infection/propagation vector.

According to security researchers from ESET, while profiling yet another malware and exploits serving malicious campaign, they have stumbled upon a new feature introduced in the Nuclear Pack web malware exploitation kit.

More details:

We have tracked some interesting activity through the injected code block with iFrame redirection: Javascript code is used to capture mouse activity with the onmousemove event and only after that does malicious activity continue with the redirection. This activity enabled us to identify a simple method being used to bypass crawlers used by AV companies and others. These are the first steps towards the criminal’s proactive detection of real user activity for tracking detections and bypassing malware collecting by whitehat crawlers.

The new feature is just the tip of the iceberg. Here are some of the most common evasive techniques used by cybercriminals to prevent vendors and security researchers from analyzing their campaigns:

The use of session-based cookies

The use of HTTP referrers to ensure the exploitation chain is complete

For the time being, the most widely used web malware exploitation kit remains the Black Hole exploit kit. Only time will tell whether its author will introduce the anti-crawling feature in the exploit kit, but given the fact that they introduce newly released exploits in a timely manner, it may already be on the of the "to-do" list of the cybercriminal behind the kit.

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.